A physical card skimmer is a clip-on plastic shell glued to an ATM keypad. A digital one is a few hundred bytes of JavaScript on your checkout page. The plastic version is dying off; the JavaScript one is having the best decade of its life.
The mechanics are simple: a script you didn't write — or a script you did write, loaded from a CDN you don't control — listens to the payment form and exfiltrates the keystrokes to a server the attacker owns. The customer's purchase still goes through. Nobody finds out until the bank's fraud-detection model does.
How it actually happens
- Initial access. Either your site is compromised directly (a plugin CVE, a leaked admin credential, a misconfigured S3 bucket) or — more often these days — a third-party dependency is. The Magecart family of groups has used both for years.
- Script injection. A
<script>tag is added to the checkout page, sometimes obfuscated, sometimes loaded from a domain that's one Unicode character off the real one.cdn-payment[.]com,google-tagmanagers[.]com,js-stats[.]net— domains chosen so a glance at network DevTools doesn't flag them. - Form listening. When the page loads the script attaches event listeners to the card-number, expiry, CVV, and address fields. Every keystroke is buffered and POSTed out, often only at form-submit time so the user-experience telemetry stays clean.
- Sale. Cards move to carding markets within hours. By the time the bank flags the first fraudulent transaction, the skimmer has been active for weeks.
The whole thing fits in under 50 lines.
Why this isn't getting better
Web skimming scales. One compromised payment page on a popular Shopify or Magento theme can bleed credentials from thousands of unrelated merchants. The economics are forgiving for the attacker:
- The page renders normally. No layout shift, no broken checkout, no user complaint.
- It survives HTTPS — TLS protects the channel, not what runs inside the browser.
- It survives most server-side scanners — the malicious code never lives on your origin.
- The data is liquid the second it lands; carding markets clear in minutes.
The headline incidents people still cite — British Airways, Ticketmaster, Newegg — happened in 2018. The 2024 Polyfill.io supply-chain takeover proved the pattern hasn't aged: a domain that 100,000+ sites trusted started serving region-targeted malware the day after a sale, and most of the affected operators didn't know for weeks.
Where LinkSentry comes in
A web skimmer almost always shows up as a new third-party request from your page — a script tag, an image beacon, a JSON POST to a domain that wasn't in your dependency manifest yesterday. That's the signal worth alerting on.
LinkSentry watches outbound dependencies on a per-page basis, including the ones behind authentication. When a new script source appears on your checkout, login, or any page you've marked sensitive — or when an existing script starts being served from a different domain — you get notified before the next checkout completes.
That covers two failure modes you can't see from your own logs: dependencies your CMS or build pipeline added without you noticing, and trusted third parties whose own infrastructure quietly changed hands.
What to do if your store takes payments
You probably don't need to be told the risk is real. You need a way to know within minutes — not weeks — that the dependency list of your checkout page changed. That's what LinkSentry exists to give you:
- Per-page inventory of every third-party request your customers' browsers actually make
- Diff alerts when that inventory changes
- Reputation and re-registration signals for every domain in the list
A breach you catch in the first hour is a postmortem. A breach you catch in the first month is a press release.